>
    Strata Copilot
    Identify Untrusted CA Certificates (Strata Cloud Manager)
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Troubleshoot Decryption
    5. Identify Untrusted CA Certificates
    6. Identify Untrusted CA Certificates (Strata Cloud Manager)
    Download PDF
    Network Security

    Identify Untrusted CA Certificates (Strata Cloud Manager)

    Table of Contents

    Identify Untrusted CA Certificates (Strata Cloud Manager)

    1. Block sessions with untrusted issuers in the decryption profile for SSL Forward Proxy.
      When you block sessions with untrusted issuers in the decryption profile, the decryption log records the error.
      1. Select ConfigurationNGFW and Prisma Access Security ServicesDecryption.
      2. Under Decryption Profiles, select or Add a new profile, and then select the Block sessions with untrusted issuers option.
    2. Filter decryption logs to identify sessions that failed due to revoked certificates.
      1. Select Log ViewerFirewall/Decryption.
      2. Use the query Error Message = ‘Untrusted issuer CA’.
    3. (Optional) Double-check the certificate expiration date at the Qualys SSL Labs site.
      Enter the hostname of the server (Server Name Identification column of the decryption log) in the Hostname field, and then Submit it to view certificate information for the host.

    © 2025 Palo Alto Networks, Inc. All rights reserved.